KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Risky AD FS Sign In

Query

let query_frequency = 5m;
let query_period = 2d;
let _ADFSTokenIssuerNames = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "ADFSTokenIssuerName"
    | summarize make_list(Auxiliar)
);
// let _ADFSResourceIdentities = toscalar(
//     _GetWatchlist("Activity-ExpectedSignificantActivity")
//     | where Activity == "ADFSTokenIssuerName"
//     | summarize make_list(DestinationAddress)
// );
union (
    AADUserRiskEvents
    | where TimeGenerated > ago(query_period)
    | where TokenIssuerType == "ADFederationServices"
    | summarize FirstTimeGenerated = min(TimeGenerated), arg_max(TimeGenerated, *) by Id
    | where FirstTimeGenerated > ago(query_frequency)
    | extend AltAlertLink = strcat("https://entra.microsoft.com/#blade/Microsoft_AAD_IAM/RiskDetectionsBlade/riskState~/[]/userId/", UserId, "/riskLevel/[]/daysBack/90")// Someone wrote "90s" incorrectly in Defender XDR portal
    | where case(
        //RiskState == "dismissed" and RiskDetail == "aiConfirmedSigninSafe", false,
        RiskState == "remediated" and RiskDetail == "userChangedPasswordOnPremises", false,
        true
        )
    | project
        //TimeGenerated,
        ActivityDateTime,
        DetectedDateTime,
        Source,
        Activity,
        DetectionTimingType,
        UserDisplayName,
        UserPrincipalName,
        UserId,
        IpAddress,
        RequestId,
        CorrelationId,
        TokenIssuerType,
        RiskEventType,
        RiskDetail,
        RiskLevel,
        RiskState,
        AdditionalInfo,
        Id,
        AltAlertLink
    ),(
    SigninLogs
    | where TimeGenerated > ago(query_frequency)
    | where TokenIssuerName has_any (_ADFSTokenIssuerNames) and RiskState == "atRisk" and not(RiskLevelAggregated == "none")
        // and ResourceIdentity has_any (_ADFSResourceIdentities) and AppId == "NotApplicable" and ResourceDisplayName == "SSO"
        // and TokenIssuerType == ???
    | project
        TimeGenerated,
        CreatedDateTime,
        Type,
        UserDisplayName,
        UserPrincipalName,
        UserId,
        AlternateSignInName,
        SignInIdentifier,
        UserType,
        IPAddress,
        AutonomousSystemNumber,
        Location,
        NetworkLocationDetails,
        ResultType,
        ResultSignature,
        ResultDescription,
        ClientAppUsed,
        AppDisplayName,
        ResourceDisplayName,
        DeviceDetail,
        UserAgent,
        Status,
        MfaDetail,
        AuthenticationContextClassReferences,
        AuthenticationDetails,
        AuthenticationProcessingDetails,
        AuthenticationProtocol,
        AuthenticationRequirement,
        AuthenticationRequirementPolicies,
        SessionLifetimePolicies,
        TokenIssuerType,
        IncomingTokenType,
        TokenProtectionStatusDetails,
        ConditionalAccessStatus,
        ConditionalAccessPolicies,
        RiskDetail,
        RiskEventTypes_V2,
        RiskLevelAggregated,
        RiskLevelDuringSignIn,
        RiskState,
        HomeTenantId,
        ResourceTenantId,
        CrossTenantAccessType,
        AppId,
        ResourceIdentity,
        UniqueTokenIdentifier,
        SessionId,
        OriginalRequestId,
        CorrelationId
    )

Explanation

This KQL (Kusto Query Language) script is designed to analyze and filter security-related events from two data sources: AADUserRiskEvents and SigninLogs. Here's a simplified explanation of what the query does:

  1. Define Parameters:

    • query_frequency: Set to 5 minutes. This is used to filter events that have occurred within the last 5 minutes.
    • query_period: Set to 2 days. This is used to filter events that have occurred within the last 2 days.

  2. Retrieve ADFS Token Issuer Names:

    • The query retrieves a list of expected ADFS (Active Directory Federation Services) token issuer names from a watchlist named "Activity-ExpectedSignificantActivity".

  3. Analyze AAD User Risk Events:

    • Filters AADUserRiskEvents to include only those events generated within the last 2 days.
    • Further filters to include only events where the token issuer type is "ADFederationServices".
    • Summarizes the events to get the first occurrence time and the most recent occurrence for each event ID.
    • Filters out events that were remediated by a user changing their password on-premises.
    • Projects (selects) specific fields for further analysis.

  4. Analyze Sign-in Logs:

    • Filters SigninLogs to include only those events generated within the last 5 minutes.
    • Further filters to include only events where the token issuer name matches any of the retrieved ADFS token issuer names, and the risk state is "atRisk" with a non-zero risk level.
    • Projects (selects) a comprehensive set of fields for further analysis.

  5. Union of Results:

    • Combines the filtered results from both AADUserRiskEvents and SigninLogs into a single dataset for further analysis or reporting.

Overall, this query is designed to identify and analyze potentially risky sign-in activities and user risk events related to ADFS, focusing on recent and significant activities.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: September 17, 2025

Tables

AADUserRiskEventsSigninLogs

Keywords

ADFSTokenIssuerNameAADUserRiskEventsSigninLogsUserUserIdTokenIssuerTypeRiskStateRiskDetailRiskLevelRiskEventTypeRiskLevelAggregatedDeviceDetailAppIdResourceIdentity

Operators

lettoscalar_GetWatchlistwheresummarizemake_listunionagominarg_maxextendstrcatcaseprojecthas_anynot

Actions